Documente Academic
Documente Profesional
Documente Cultură
ALTO
NETWORKS
PCNSE7
STUDY GUIDE
March 2017
Contents
Palo Alto Networks PCNSE7 Study Guide ............................................................ 1
Overview ............................................................................................................ 1
Exam Details ............................................................................................................................... 1
Intended Audience ..................................................................................................................... 1
Qualifications .............................................................................................................................. 2
Skills Required ............................................................................................................................. 2
Recommended Training .............................................................................................................. 2
About This Document ................................................................................................................. 2
Architecture and Design ..................................................................................... 4
Identify how Palo Alto Networks products work together to detect and prevent threats. ....... 4
Preventing Successful Cyberattacks ........................................................................................ 4
How to architect a solution to meet the business requirements and leverage the security
platform. ..................................................................................................................................... 5
Choosing the Appropriate Firewall ......................................................................................... 5
Security Policy ......................................................................................................................... 6
Security Zones ......................................................................................................................... 8
Traffic Processing Sequence ................................................................................................... 9
Evaluate high availability (HA) designs and configurations for various deployments. ............. 10
High Availability .................................................................................................................... 10
Active/Passive Clusters ......................................................................................................... 10
Active/Active Clusters ........................................................................................................... 11
Failover ................................................................................................................................. 11
Additional High Availability Information ............................................................................... 12
Identify the appropriate interface type and configuration for a specified network
deployment. ............................................................................................................................. 13
Types of Interfaces ................................................................................................................ 13
Decrypt Mirror ...................................................................................................................... 14
Identify the fundamental functions residing on the management and dataplanes of a Palo
Alto Networks firewall. ............................................................................................................. 36
Management and Dataplanes ............................................................................................... 36
How to control bandwidth use on a per-application basis. ...................................................... 38
Additional Information .......................................................................................................... 41
Identify the fundamental functions and concepts of WildFire. ................................................ 41
WildFire Overview ................................................................................................................. 41
Additional Information .......................................................................................................... 42
Section 2 Sample Questions ..................................................................................................... 43
Management .................................................................................................... 47
Identify the required settings and steps necessary to provision and deploy a next-generation
firewall. ..................................................................................................................................... 47
Steps to Connect the Firewall ............................................................................................... 47
Installing and Activating Licenses .......................................................................................... 48
Dynamic Updates .................................................................................................................. 48
Firewall Configuration ........................................................................................................... 48
Determine how to leverage Panorama to centrally manage device configurations and logs. . 49
Panorama Overview .............................................................................................................. 49
Storage of Saved Configurations ........................................................................................... 49
Log Event Aggregation .......................................................................................................... 49
Update a Palo Alto Networks system to the latest version of code or content. ...................... 50
Standalone Firewalls ............................................................................................................. 50
HA Firewalls .......................................................................................................................... 51
Upgrading Firewalls Under Panorama Management ............................................................ 52
HA Cluster Firewall Updates Managed by Panorama ........................................................... 52
Identify how configuration management operations are used to ensure desired operational
state of stability and continuity. ............................................................................................... 52
Running Configuration and Candidate Configuration ........................................................... 52
Identify methods for authorization, authentication, and device administration. .................... 53
Administrative Accounts ....................................................................................................... 53
Authentication ...................................................................................................................... 53
Identify the deployment, configuration, and management of Security profiles and options. . 75
Security Profile Overview ...................................................................................................... 75
WildFire Analysis Profiles ...................................................................................................... 76
URL Filtering Profiles ............................................................................................................. 77
Identify the deployment, configuration, and management features of the NAT rulebase. ..... 79
NAT Overview ....................................................................................................................... 79
Dynamic IP and Port NAT ...................................................................................................... 79
Identify decryption deployment strategies. ............................................................................. 81
Packet Visibility ..................................................................................................................... 81
Decryption ............................................................................................................................ 81
Keys and Certificates ............................................................................................................. 82
Decryption Policies ................................................................................................................ 83
SSL Forward Proxy ................................................................................................................. 83
App-ID and Encryption .......................................................................................................... 85
Identify application override configuration and use. ............................................................... 85
Use Cases .............................................................................................................................. 86
Section 5 Sample Questions ..................................................................................................... 87
Logs and Stats .................................................................................................. 90
Identify considerations for configuring external log forwarding. ............................................. 90
Direct Firewall Log Forwarding ............................................................................................. 90
Forwarding of Logs to Panorama .......................................................................................... 94
Interpret log files, reports, and graphs to determine traffic and threat trends. ...................... 94
PDF Reports .......................................................................................................................... 98
User/Group Activity Report .................................................................................................. 99
PDF Summary Report .......................................................................................................... 100
Application Command Center ............................................................................................. 100
Automated Correlation Engine ........................................................................................... 100
Identify the configuration requirements used to perform a packet capture. ........................ 101
Automatic Threat Detection Captures ................................................................................ 101
Manual Packet Captures ..................................................................................................... 102
Overview
The Palo Alto Networks Certified Network Security Engineer (PCNSE7) is a formal, third-party
proctored certification that indicates that those who have passed it possess the in-depth
knowledge to design, install, configure, maintain, and troubleshoot the majority of
implementations based on the Palo Alto Networks platform.
This exam will certify that the successful candidate has the knowledge and skills necessary to
implement a Palo Alto Networks Next-Generation Firewall PAN-OS 7 platform in any
environment. This exam will not cover Aperture, Traps, and AutoFocus.
https://www.paloaltonetworks.com/services/education/pcnse
Exam Details
Certification Name: Palo Alto Networks Certified Network Security Engineer on
PAN-OS 7
Delivered through Pearson VUE: www.pearsonvue.com/paloaltonetworks
Exam Series: PCNSE7
Seat Time: 90 minutes/120 minutes ESL
# Of items: 60
Format: Multiple Choice, Scenarios with Graphics, and Matching
Language: English
Intended Audience
The PCNSE exam should be taken by anyone who wants to demonstrate a deep understanding
of Palo Alto Networks technologies, including customers who use Palo Alto Networks products,
value-added resellers, pre-sales system engineers, system integrators, and support staff.
Qualifications
You should have three to five years experience working in the Networking or Security
industries and the equivalent of 6 months experience working full-time with the Palo Alto
Networks security platform.
Skills Required
You can plan, deploy, configure, and troubleshoot Palo Alto Networks Security platform
components.
You have product expertise and understand the unique aspects of the next-generation
security platform and how to deploy one appropriately.
You understand networking and security policies used by PAN-OS software.
Recommended Training
Palo Alto Networks strongly recommends that the candidate attend the following courses:
Firewall 8.0 Essentials: Configuration and Management (EDU-210), Panorama: Manage Multiple
Firewalls (EDU-221), and Firewall: Debug and Troubleshoot (EDU-311). Courses do not cover
everything that a PCNSE7 needs to know, but theyre the most efficient way to start learning.
When you have the basics mastered, you should spend time on our platform practicing using
the information in the 7.1 version of the Administrators Guide. Find the guide here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os
The Administrators Guide contains specific configuration information and some best practice
configuration settings. Remember also that a number of supplemental documents are on the
learning site. We suggest that all candidates take advantage of this free resource.
The Palo Alto Networks Next-Generation Security Platform protects our digital way of life by
safely enabling applications and preventing known and unknown threats across the network,
cloud, and endpoints. The native integration of the platform delivers a prevention architecture
that can provide superior security at lower total cost of ownership.
Our platform has four major components that enable the prevention of successful cyberattacks:
By employing the Palo Alto Networks Threat Intelligence Cloud, businesses leverage the global threat community to detect
unknown threats and to convert them into known, stoppable threats.
The following link provides a PDF features summary of all firewall models including throughput:
https://www.paloaltonetworks.com/resources/datasheets/product-summary-specsheet
The Single Pass Architecture means packets should have to traverse the architecture only once.
The Palo Alto Networks firewall was designed to use an efficient system referred to as Next
Generation Processing. Next Generation Processing allows the system to perform packet
evaluation, application identification, policy decisions, and content scanning in a single efficient
processing pass.
Palo Alto Networks firewalls contain Next Generation Security features consisting of:
App-ID: Scanning of traffic to identify the application that is involved, regardless of the
protocol
Content-ID: Scanning of indicated traffic for security threats, data leak prevention, and
URL filtering; e.g., virus, spyware, unwanted file transfers, specific data patterns,
vulnerability attacks, and appropriate browsing access
User-ID: Matching of a user to an IP address (or multiple IP addresses).
Security Policy
The Security policy consists of numerous security rules that are the keystone of the firewalls
ability to enable or block sessions. Numerous match conditions can be used when creating
these rules. Security zones, source and destination IP address, application (App-ID), source user
(User-ID), service (port), HIP match, and URL categories in the case of web traffic all can serve
as traffic matching criteria for allow/block decision making. Allowed sessions can be scanned
further based on Security profiles (Content-ID) to identify unwanted packet content. These
Profiles use known threat signatures and a mechanism (WildFire) to identify unknown threats,
automatically generating new threat signatures. Example of security rules and profiles are
shown in the following images.
Profile settings for a Security policy rule that enable Content-ID threat scanning
Security Zones
Palo Alto Networks firewalls are zone based. In order for traffic to pass, the deployment
requires that security zones be implemented. These zones act as a logical way to group physical
and virtual interfaces. Zones also are required to control and log the traffic that traverses the
interfaces. An interface must be of the same type as the zone it is assigned (TAP, Virtual Wire,
Layer 2, or Layer 3). In order to pass traffic through an interface, it must be assigned to a zone.
A zone can have multiple interfaces of the same type assigned to it, but an interface can belong
to only one zone.
All sessions on the firewall are defined by the source and destination zones. Rules can use these
defined zones to allow or deny traffic, apply QoS, or perform NAT. All traffic can flow freely
within a zone, which is referred to as intrazone traffic. Traffic between zones (interzone traffic)
is denied by default. Traffic will be allowed to travel only between zones if a security rule is
defined and the rule matches all of the conditions of the session. For interzone traffic, Security
policy rules must reference a source zone and destination zone (not interfaces) to allow or deny
traffic.
Security policies are used to create a positive (whitelist) and/or negative (blacklist) enforcement
model for traffic flowing through the firewall. In order for the firewall to properly evaluate,
configure, and maintain Security policies, the necessary security rules must be in place. These
rules are enumerated from the top down, and the first rules with the appropriate matching
conditions will allow or deny the matching traffic. If the logging is enabled on the matching rule,
and the traffic crosses a zone, the action for that session is logged. These logs are extremely
useful for adjusting the positive/negative enforcement model. The log information can be used
to characterize traffic, providing specific usage information and allowing precise policy creation
and control. Palo Alto Networks firewall logs, Application Command Center, App Scope, and
other reporting tools all work to precisely describe traffic and usage patterns.
Session processing sequence
Active/Passive Clusters
Active/passive HA is the recommended deployment method in nearly every case. It consists of a
single firewall configuration synchronized between two firewalls, with only one being active
and handling traffic at a given time. The synchronization of the configuration data occurs across
the HA1 connection. The session data is kept on both firewalls via the HA2 connection. This
synchronization process allows the passive firewall to take control of the existing session with
little to no loss of data flow.
Active/Active Clusters
Active/active consists of a cluster of two firewalls attached with three cables: HA1, HA2, and
HA3. It is recommended only when load-balancing technology randomizes the routing of traffic
between the firewalls. Please see the following additional documentation for active/active:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Configuring-Active-Active-
HA-PAN-OS-4-0/ta-p/58158?attachment-id=535
Failover
The high availability process can be monitored and triggered by a number of different methods.
To avoid a split brain scenario, you should use all of the methods, which include the use of a
simple heartbeat, path monitoring, and link monitoring.
In an active/passive HA pair only the active firewall processes traffic.
High Availability failover support in both active/active and active/passive clusters includes all
firewall features and is non-disruptive to user sessions. Active/passive clusters include two
interconnections between firewalls to synchronize all data required for failover support.
The HA1 and HA2 links work together to keep the HA firewalls perfectly syncronized..
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-High-
Availability-on-PAN-OS/ta-p/54086
https://live.paloaltonetworks.com/t5/Learning-Articles/Information-Synchronized-in-an-HA-
Pair/ta-p/57292
and:
https://live.paloaltonetworks.com/t5/Documentation-Articles/High-Availability-
Synchronization/ta-p/61190?attachment-id=1035
An active/active overview can be found here. This document refers to an older version of
PAN-OS software with an outdated UI, but the concepts remain the same for PAN-OS 7.1:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Configuring-Active-Active-HA-
PAN-OS-4-0/ta-p/58158?attachment-id=535
Interface types are determined by functional needs.
The following screen capture shows primary configuration options for interfaces.
Possible interface configuration options to match your integration needs
Decrypt Mirror
Decrypt Mirror is a special configuration supporting the routing of decrypted traffic copies
through an external interface to DLP services.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Decrypt-
Mirror-Port-on-PAN-OS-6-0/ta-p/57440
LACP Protocol
Physical Layer 2 and 3 interfaces can be aggregated into single logical interfaces using the LACP
protocol for multiplexing traffic.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-LACP/ta-
p/65837
Virtual Interfaces
Palo Alto Networks firewalls also provide several virtual interface types for additional
functionality.
Loopback interfaces can be used for VPN, routing, GlobalProtect, and DNS Sinkhole configurations.
VLANs are logical interfaces specifically serving as interconnects between on-board virtual
switches (VLANs) and virtual routers, which allows traffic to move from Layer 2 to Layer 3
within the firewall.
Specific information can be found here. This article is dated with older UI screenshots, but the
concepts are still current.
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Layer-2-to-
Layer-3-Connection-on-the-Palo/ta-p/52787
Loopback Interfaces
Loopback interfaces are Layer 3 interfaces that exist only virtually and connect to virtual routers
in the firewall. Loopback interfaces are used for multiple network engineering and
implementation purposes. Loopback interfaces can be used for VPN, routing, GlobalProtect,
and DNS Sinkhole configurations.
Tunnel Interfaces
Tunnel interfaces specifically serve VPN tunnels and are Layer 3 only.
To set up a VPN tunnel, you must configure the Layer 3 interface at each end and have a logical
tunnel interface for the firewall to connect to and establish a VPN tunnel. A tunnel interface is a
logical (virtual) interface that is used to deliver traffic between two endpoints. Each tunnel
interface can have a maximum of 10 IPSec tunnels, which means that up to 10 networks can be
associated with the same tunnel interface on the firewall.
The tunnel interface must belong to a security zone to apply policy and it must be assigned to a
virtual router in order to use the existing routing infrastructure. Ensure that the tunnel
interface and the physical interface are assigned to the same virtual router so that the firewall
can perform a route lookup and determine the appropriate tunnel to use.
Typically, the Layer 3 interface that the tunnel interface is attached to belongs to an external
zone, for example, the untrust zone. Although the tunnel interface can be in the same security
zone as the physical interface, for added security and better visibility you can create a separate
zone for the tunnel interface. If you create a separate zone for the tunnel interface (for
example, a VPN zone), you will need to create Security policies to enable traffic to flow
between the VPN zone and the trust zone.
A tunnel interface does not require an IP address to route traffic between the sites. An IP
address is required only if you want to enable tunnel monitoring or if you are using a dynamic
routing protocol to route traffic across the tunnel. With dynamic routing, the tunnel IP address
serves as the next-hop IP address for routing traffic to the VPN tunnel.
Interface Configurations
Each interface includes configurations for binding various services to them. HTTPS includes the
WebUI service and should be included on at least one interface. The Permitted IP Address
entries allow an Access Control List to be included, restricting access to any interface with this
profile assigned.
Protocol services and internal processes can be selectively bound to interfaces.
Palo Alto Networks firewalls provide a number of traffic-handling objects to move traffic
between interfaces and typically are required for that movement. The available types are VLAN
objects (VLANs) for Layer 2 traffic, virtual routers for Layer 3 traffic, and virtual wires for virtual
wire interfaces.
The available traffic-handling objects required to move traffic from one interface to another
Each Layer 3 dynamic routing protocol includes appropriate specific configuration options. An
example of OSPF v2 follows.
An example of a dynamic routing configuration
IPSec tunnels are considered Layer 3 traffic segments for implementation purposes and are
handled by virtual routers as any other network segment. Forwarding decisions are made by
destination address, not by VPN policy.
Additional Information
Network design:
https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-Palo-Alto-
Networks-Firewalls/ta-p/60868?attachment-id=1585
Layer 2 interfaces:
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-2-Interfaces/ta-
p/68229
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-
DHCP/ta-p/66999
https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-
Subinterfaces/ta-p/67395
https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-Palo-Alto-
Networks-Firewalls/ta-p/60868?attachment-id=1585
Panorama is a separate Palo Alto Networks product supplied in either virtual or physical
appliance form sized to match desired functions, number of firewalls, and level of firewall
activity. Panorama should be implemented as a high availability cluster consisting of two
identical platforms. Unlike firewalls, Panorama HA cluster members can be physically
separated.
https://www.paloaltonetworks.com/products/secure-the-network/management/panorama
A presentation of the different Panorama platforms and their capacities can be found here:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/panorama-platforms#51887
Panorama can provide centralized management, logging, reporting, software updates, and administrative control to multiple
firewalls.
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/about-panorama#74210
Log Aggregation
Among these features, log aggregation of events from firewalls to an enterprise-level log stored
on Panorama requires specific design and scaling consideration. When implemented, copies of
log events are forwarded from firewalls to Panorama as they are generated. Specific settings
are created for each firewall determining the specific event types to forward. This forwarding
can be CPU and disk-intensive on the Panorama platform and needs to be sized carefully. In
high log volume situations an intermediate level of log collecting appliances can be
implemented (Logger in the preceding diagram).
https://www.paloaltonetworks.com/documentation/70/panorama/panorama_adminguide/ma
nage-log-collection
Palo Alto Networks designed the Panorama UI to be as similar to the firewall UI as possible to
reduce the administrators learning curve. All menus (other than Panorama) are faithfully
reproduced, with mostly identical menu options.
Top-level user interface for Panorama
Template objects store settings appear in the Panorama UI under the Device and Network
menus, and are created in Panorama. An administrator that enters any information under the
Panorama Device or Network tab must choose the Template to receive the settings.
A firewall can be assigned only one template at a time. The template can be an individual
template or a template stack of up to 16 individual templates. In the case of a stack, the
settings are inherited down the stack, ultimately reaching the firewall at the bottom. Duplicates
at different levels will override others with a user-selectable inheritance setting. Stacks can be
created and broken on demand from constituent templates.
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/templates-and-template-stacks#12545
Device Group settings are stored in the Policies and Objects tabs. As with templates, they are
deliberately created by Panorama administrators and assigned to firewalls. Firewalls can be
attached to only one Device Group object or Hierarchy. Device Group Hierarchies can be
modified after they are created. In these cases, settings are inherited down the hierarchy,
ultimately reaching the firewall at the bottom.
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/device-groups#78831
Panorama-supplied data merges with local firewall configuration (if any) at Panorama commit
time. In the case of policies, the merged result is built from strict rules. Locally created firewall
policies occupy the middle of the resulting list and Panorama-supplied policies occupy the top
(Pre) or bottom (Post). The Pre and Post designations are determined at policy creation time in
Panorama by deliberately choosing the type during policy creation.
Panorama supplied policies merge with local policies in this manner.
See the following image for the Policy menu on Panorama featuring the Pre and Post position
selections.
Panorama policy menu for Pre Rules and Post Rules
An administrator entering any information under the Panorama Policy or Objects tab must
choose the Device Group to receive the settings.
The Commit process on Panorama consists of multiple phases. Newly entered data first must be
committed to Panorama, followed by a Template and/or Device Group Commit as required.
Panorama has different types of commits. Pushing new data to firewalls typically requires several types to be executed
simultaneously.
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/panorama-commit-and-validation-operations#19040
Panorama implements a new level of Enterprise Administrator. These roles are fully configured
by roles and scopes of accessible firewalls (Access Domain). They can work in conjunction to
support a decentralized management model.
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/role-based-access-control#93635
In both private and public cloud environments, the VM-Series can be deployed as a perimeter
gateway, an IPSec VPN termination point, and a segmentation gateway, preventing threats
from moving from workload to workload.
These firewalls run the same PAN-OS software as hardware appliance firewalls with the same
feature set.
https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-
firewall/vm-series
Implementation uses the same design and deployment principles as hardware appliance
firewalls with a few exceptions due to the hosting virtual environment.
1. Which three statements are true about Palo Alto Networks Next-Generation Firewalls?
(Choose three.)
a) The Single Pass Architecture design includes an industry-leading content scanning
engine available as a software or hardware option.
b) Palo Alto Networks firewalls are part of a Security Platform that includes integration
with a Threat Intelligence Cloud.
c) The App-ID next-generation feature of the firewall will accurately identify the
responsible application generating all traffic passing through the firewall.
d) Palo Alto Networks firewalls natively support encrypted connections with IPSec and
SSL encryption technologies.
2. Which three options are next-generation features of Palo Alto Networks firewalls?
(Choose three.)
a) Cluster-ID
b) App-ID
c) Content-ID
d) Flow-ID
e) User-ID
3. Which two Palo Alto Networks firewall models support active/active High Availability?
(Choose two.)
a) PA-200
b) VM-300
c) PA-7050
d) PA-3020
e) VM-200
Core Concepts
Identify the key features of a next-generation Layer 7 firewall
and its advantages over a traditional firewall.
Palo Alto Networks firewalls implement three primary next-generation features.
App-ID
App-ID is a patented traffic classification technology in Palo Alto Networks Next-Generation
Firewalls that positively identifies applications traversing your network. Applications can be
identified even if traffic is encrypted or if applications are using network ports in a non-
standard manner (either for evasion or in an attempt to provide just works convenience). This
inspection prevents undesired access of evasive applications using alternate ports (e.g., TCP
port 80).
Identifying each application allows granular Security policies to be written that safely enable
just the appropriate application access by authorized users. This feature is a significant
improvement over the traditional port and protocol-only firewall capability. Application
identification is performed through the life of each session on the firewall.
The App-ID process constantly scans traffic streams, identifying and updating identifications as required.
New App-IDs are constantly being created by Palo Alto Networks and updated automatically to
firewalls.
Palo Alto Networks automatically updates firewalls with new App-IDs.
App-ID blocking actions can include user notification, eliminating confusion and help desk
traffic.
App-ID blocking can provide feedback to the users.
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/techbriefs/app-id-tech-brief
User-ID
The User Identification (User-ID) feature of the Palo Alto Networks Next-Generation Firewall
enables you to create policies and perform reporting based on users and groups rather than on
individual IP addresses. When User-ID is combined with App-ID results, specific users can be
granted access to only the applications they need, significantly reducing the organizations
attack surface.
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/techbriefs/user-id-tech-brief
Content-ID
Content-ID technology delivers a new security approach based on the complete analysis of all
allowed traffic, using multiple advanced threat prevention technologies in a single, unified
engine.
The user and application visibility and control of App-ID and User -ID, coupled with the
content inspection enabled by Content-ID, empowers IT teams to regain control over
application traffic and related content.
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/techbriefs/content-id-tech-brief
Each type of policy is implemented as a list in which match processing against traffic is
performed from the top of the list down. The first policy matching the traffic in question is
executed, with no other policy processing of that type performed. Each type of policy is
reviewed in the order indicated in the following process flow:
All traffic processed by the firewall follows this sequence of events.
Evaluation Order
An example of the importance of evaluation order can be found with NAT and Security policies.
NAT policies change TCP/IP addresses in packet headers. Security policies are required to allow
the traffic in question to transit the firewall. The processing order indicates that addresses
changed by NAT policies are done after Security policies are evaluated, resulting in Security
policies being written for pre-NAT packet addresses.
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/policy-types
https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Test-Security-NAT-and-
PBF-Rules-via-the-CLI/ta-p/55911
An overview of APTs as they relate to Palo Alto Networks firewalls can be found here:
https://www.paloaltonetworks.com/features/apt-prevention
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/set-up-
a-basic-security-policy#79320
The completion of these steps provides only a basic setup that is not comprehensive enough to
protect your network. The next phase can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/best-practice-
internet-gateway-security-policy#60768
The previous review includes a review of Security profiles, which is an important aspect of
protection detection and prevention for specific types of threats. See the following document
for more details:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/create-best-
practice-security-profiles#48239
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise directory
and terminal services offerings, enabling you to associate application activity and policy rules to
users and groupsnot just IP addresses. Furthermore, with User-ID enabled, the Application
Command Center (ACC), App Scope, reports, and logs all include usernames in addition to user
IP addresses.
For user- and group-based policies, the firewall requires a list of all available users and their
corresponding group mappings that you can select when defining your policies. The firewall
collects group mapping information by connecting directly to your LDAP directory server.
Before the firewall can enforce user- and group-based policies, it must be able to map the IP
addresses in the packets it receives to usernames. User-ID provides many mechanisms to
collect this user mapping information.
A User-ID agent process runs either on the firewall (Agentless implementation) or installed as a
separate process on a Windows OS machine. This User-ID agent monitors various network
technologies for authentication events and gathers the data creating a master IP-address-to-
user mapping table stored in the firewall. For example, the User-ID agent monitors server logs
for login events, probes clients, and listens for syslog messages from authenticating services. To
identify mappings for IP addresses that the agent didnt map, you can configure the firewall to
redirect HTTP requests to a Captive Portal login. You can customize the user mapping
mechanisms to suit your environment, and even use different mechanisms at different sites.
PAN-OS software can use multiple information sources to map usernames to the IP address of a session.
Additional Information
A complete overview of User-ID can be found here:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id
Design and deployment considerations for complex environments can be found here:
https://live.paloaltonetworks.com/t5/Configuration-Articles/Architecting-User-Identification-
Deployments/ta-p/60904?attachment-id=2853
https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-best-practices/ta-
p/65756?attachment-id=3509
and:
https://live.paloaltonetworks.com/t5/Learning-Articles/Best-practices-for-securing-User-ID-
deployments/ta-p/61606
Palo Alto Networks maintains the management plane and dataplane separation to protect system resources.
Every Palo Alto Networks firewall assigns a minimum of these functions to the management
plane:
Configuration management
Logging
Reporting functions
User-ID agent process
Route updates
The Management Network and Console connector terminates directly on this plane.
As more computing capability is added to more powerful firewall models, the management and
dataplanes gain other functionality as required, sometimes implemented on dedicated cards.
Several core functions gain FPGAs (field-programmable gate arrays) for flexible high-
performance processing. Additional management plane functions might include:
PA-7000 Series architecture
Palo Alto Networks QoS provides basic QoS applied to networks and extends it to provide QoS
to applications and users.
Palo Alto Networks QoS provides an Application Aware QoS service that can be driven by the
traffics App-ID. Existing QoS packet markings can be used as input in QoS decisions. QoS
markings can be written back to packets for consumption of other network nodes.
QoS implementation on a Palo Alto Networks firewall begins with three primary configuration
components that support a full QoS solution: a QoS policy, a QoS profile, and configuration of
the QoS egress interface. Each option in the QoS configuration task facilitates a broader process
that optimizes and prioritizes the traffic flow and allocates and ensures bandwidth according to
configurable parameters.
PAN-OS QoS functionality can use App-ID for specific bandwidth reservation.
QoS profiles describe the priority to be given to the specified traffic when the interface
becomes constrained. As priority decreases, more packets are randomly dropped until the
constraint is cleared. Profiles also specify bandwidth enforcement applied at all times.
QoS profiles prioritize specified traffic.
Assignment of the profile to an interface is the final step. This assignment shapes only egress
traffic on the interface.
Profiles are applied to interfaces to control their egress traffic.
QoS is configured at the policy, profile, and interface level for granular control.
Additional Information
A detailed discussion of QoS can be found here:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/quality-of-service
WildFire is a sandbox analysis service that examines files for zero-day malware. A firewall
administrator can submit copies of files transferred through the firewall to WildFire for analysis.
Typically, within 5 minutes WildFire will process the file and provide a malware verdict plus a
detailed analysis report. This service is available to all firewall owners for free with a license
available for advanced features.
WildFire is implemented in a Palo Alto Networks managed public cloud or a WF-500 appliance
installed on a users network.
WildFire looks within files for malicious activities and renders a verdict with an analysis report.
WildFire malware findings result in a new detection signature being created and added to the
worldwide Antivirus Update for all firewalls within 24 to 48 hours. WildFire license holders can
receive these new signatures in as few as 15 to 30 minutes.
Additional Information
A detailed description of WildFire can be found here:
https://www.paloaltonetworks.com/documentation/70/wildfire/wf_admin
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/wildfire-
analysis-profiles
1. Which four of the following options are true regarding application identification?
(Choose four.)
a) Security policy is analyzed for a new match when an application shift occurs.
b) Viruses can be detected during an SSL session only if decryption is implemented.
c) Custom application definition must be created on external devices and imported to
the firewall.
d) Behavioral patterns can detect an application if decoders and signatures cannot.
e) Applications can be allowed or blocked on certain ports or all ports.
2. What are three advantages of the Palo Alto Networks Next-Generation Firewall?
(Choose three.)
a) Application-based rather than port-based traffic recognition for better rules and
granularity
b) Ports can now be safely ignored because they are no longer a factor
c) Uses a stream-based, single-pass parallel processing engine for fast performance
d) Application signatures are distributed regularly from Palo Alto Networks, although
custom signatures cannot be created
e) Provides full Unified Threat Management on a single platform with one policy and
log database
3. When destination NAT rules are configured, the associated security rule is matched
using which two options? (Choose two.)
a) Pre-NAT source zone and post-NAT destination zone
b) Post-NAT source zone and pre-NAT destination zone
c) Pre-NAT source zone and pre-NAT destination IP address
d) Pre-NAT source zone and post-NAT destination IP address
e) Post-NAT source zone and post-NAT destination zone
4. Which two options are true regarding policy evaluation? (Choose two.)
a) All rules are searched and the most specific rule will match.
b) Policies are evaluated from the top down, and the first match processes the traffic.
c) Interzone traffic is allowed by default.
d) Intrazone traffic is allowed by default.
e) Outbound traffic is allowed by default, inbound traffic only is evaluated.
5. Which three options are not true about Security profiles? (Choose three.)
a) Security profiles are evaluated from top down, with the first match processing the
traffic.
b) Security profiles are applied to all inbound traffic when they are enabled.
c) Security profiles enable a specific type of scanning (e.g., Virus, Spyware).
d) Security profiles can specify actions based on the username.
7. Which three technologies can User-ID monitor for user authentication? (Choose three.)
a) Proxy Servers
b) Domain Controllers
c) Microsoft Office 365 Cloud Deployments
d) Wireless Access Controllers
e) Electronic Badge Readers
10. Which of the following options cannot be specified when configuring QoS?
a) application
b) service
c) source user
d) destination zone
e) source interface
11. Based on the QoS rules shown in the following image, which class will be assigned for
youtube traffic when the source IP address is 192.168.3.3 and the user is known?
a) class 4
b) class 6
c) class 7
d) class 8
e) class 5
12. The firewall will skip the upload to WildFire in which three cases? (Choose three.)
a) The file has been signed by a trusted signer.
b) The file is being uploaded rather than downloaded.
c) The file is an attachment in an email.
d) The file hash matched a previous submission.
e) The file is larger than 10MB.
13. The fastest recurrence interval for WildFire update checks is:
a) 1 minute
b) 10 minutes
c) 15 minutes
d) 30 minutes
e) 60 minutes
Management
Identify the required settings and steps necessary to provision
and deploy a next-generation firewall.
By default, the firewall has an IP address of 192.168.1.1 and a username/password of
admin/admin. For security reasons, you must change these settings before continuing with
other firewall configuration tasks. You must perform these initial configuration tasks either
from the MGT interface, even if you do not plan to use this interface for your firewall
management, or by using a direct serial connection to the console port on the device.
Note: Virtual firewalls must be licensed after initial configuration is performed. See this
information for an explanation:
https://www.paloaltonetworks.com/documentation/70/virtualization/virtualization/about-the-
vm-series-firewall/activate-the-license
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/getting-
started/perform-initial-configuration
Connect a serial cable from your computer to the Console port and connect to the
firewall using terminal emulation software (9600-8-N-1). Wait a few minutes for the
boot-up sequence to complete. When the device is ready, the prompt changes to the
name of the firewall; for example, PA-500 login.
Connect an RJ-45 Ethernet cable from your computer to the MGT port on the firewall.
From a browser, go to https://192.168.1.1. Note that you may need to change the IP
address on your computer to an address in the 192.168.1.0 network, such as
192.168.1.2, in order to access this URL.
Select Device > Setup > Management and edit the General Settings. Enter a Hostname for the
firewall and enter your network Domain name. The domain name is just a label; it will not be
used to join the domain. Enter the Latitude and Longitude to enable accurate placement of the
firewall on the world map.
Select Device > Setup > Services and edit the Services. On the Services tab, enter the IP address
of the Primary DNS Server and, optionally, a Secondary DNS Server. To use the virtual cluster
of time servers on the internet, enter the hostname pool.ntp.org as the Primary NTP Server or
add the IP address of your Primary NTP Server and, optionally, a Secondary NTP Server. To
authenticate time updates from an NTP server, select the NTP tab, enter the NTP Server
Address, and select the Authentication Type for the firewall to use.
Note: At this point your firewall can be moved to its permanent location and connected to the
production management network for further configuration. All changes must be committed in
the firewall to preserve them. Note that you will lose all previous configuration settings if you
power down the firewall without performing a Commit operation. The initial sections in this link
outline the steps described:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os
You can activate licenses first on the Palo Alto Networks website and then communicate them
to the firewall (assuming internet connectivity from the Management port). If connectivity is
not available, you can enter licenses directly.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-
started/activate-licenses-and-subscriptions#75905
Dynamic Updates
These activated licenses provide access to PAN-OS software updates and Subscription data
files (Dynamic Updates). The following information explains these licenses and the process for
updating files and PAN-OS software:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/install-
content-and-software-updates#61072
Firewall Configuration
After these initial deployment steps are taken, configuration becomes a task of implementing
network connectivity and security settings to meet your specific requirements. As such these
next steps can vary widely.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/ad
minister-panorama/manage-panorama-and-firewall-configuration-backups#45186
In cases of firewall hardware failures requiring RMA replacement, see the procedure for
restoring previous firewalls setting here:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/tro
ubleshooting/replace-an-rma-firewall
Centralized logs are created through real-time forwarding of firewall log events. Each firewall is
configured with specific log-forwarding configurations specifying which types of log events and
under which circumstances they are forwarded.
A complete discussion of logging control and Log Collector implementation can be found here:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/pa
norama-overview/centralized-logging-and-reporting#82482
Hardware Panorama appliances include multiple Ethernet interfaces for optional use in log
collection and Collector Group communications. A discussion of this topic appears here:
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/set
-up-panorama/set-up-the-m-series-appliance#32752
Subscription Updates are enabled through application of various licenses to the firewall. These
updates are managed under Device > Dynamic Updates. Updates can be transferred directly
from Palo Alto Networks on demand or by schedule control. In cases where no network
connectivity is present, these updates can be downloaded from the Palo Alto Networks
Dynamic Update section of the Support portal site onto an Administrators system and
uploaded through a Management WebUI connection and then applied.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/install-
content-and-software-updates#61072
PAN-OS updates are managed in the Device > Software section of the WebUI. New PAN-OS
versions can be downloaded and even installed without user disruption. A final system reboot
must be performed to put the new PAN-OS software into production. Because this reboot is
disruptive, it should be done in a change control window.
A firewall does not need to upgrade to each released PAN-OS software in sequence.
Considerations for skipping releases are outlined here:
https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/upgrade-to-
pan-os-7-1/upgrade-a-firewall-to-pan-os-7-1#90475
Make note of the requirement that Dynamic Updates be upgraded to the latest versions before
PAN-OS software is upgraded to ensure compatibility.
You can roll back PAN-OS updates if required. Details can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/upgrade-to-
pan-os-7-1/downgrade-from-pan-os-7-1
HA Firewalls
Dynamic Updates are the responsibility of the individual firewalls to manage even when in
passive mode. This task can be difficult if Dynamic Updates have no network path to the Palo
Alto Networks update servers.
Dynamic Updates in HA clusters include an option to Sync-to-peer for use when the
secondary firewall has no network route to the update server. Further discussion can be found
here:
https://live.paloaltonetworks.com/t5/Management-Articles/Scheduled-Dynamic-Updates-in-
an-HA-Environment/ta-p/60449
https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/upgrade-to-
pan-os-7-1/upgrade-an-ha-firewall-pair-to-pan-os-7-1
https://www.paloaltonetworks.com/documentation/71/panorama/panorama_adminguide/ma
nage-licenses-and-updates
https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/upgrade-to-
pan-os-7-1/upgrade-firewalls-using-panorama
Backing up versions of the running or candidate configuration enables you to later restore
those versions on the firewall. A discussion about the basics appears here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/firewall-
administration/manage-configuration-backups#68133
https://live.paloaltonetworks.com/t5/Configuration-Articles/Configuration-Management-
Guidelines/ta-p/65781
Administrative accounts specify roles and authentication methods for the administrators of
Palo Alto Networks firewalls. Every Palo Alto Networks firewall has a predefined default
administrative account (admin) that provides full read-write access (also known as superuser
access) to the firewall. Other administrative accounts can be created as needed.
The types of administrative accounts and their creation are discussed here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/firewall-
administration/manage-firewall-administrators#72624
Authentication
Many of the services that Palo Alto Networks firewalls and Panorama provide require
authentication, including administrator access to the web interface and end user access to
Captive Portal, GlobalProtect portals, and GlobalProtect gateways. The authentication methods
that you can configure vary by service, and can include Kerberos single sign-on (SSO), external
authentication services, certificates and certificate profiles, local database accounts, RADIUS
Vendor-Specific Attributes (VSAs), and NT LAN Manager (NTLM).
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/authentication
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-
management
https://live.paloaltonetworks.com/t5/Management-Articles/SSL-certificates-resource-list/ta-
p/53068
1. Which two firewall ports can you connect to for initial firewall configuration tasks?
(Choose two.)
a) Traffic Port #1
b) Management Port
c) Console Port
d) Maintenance Port
3. Which of the following firewall configuration settings can Panorama manage? Choose all
that apply.
a) Traffic interface settings
b) High Availability settings
c) Administrative account settings
d) Enable multivirtual system capability
4. Which three software components should be reviewed for the desired version during a
firewall installation? (Choose three.)
a) PAN-OS software
b) Firewall ROM/Firmware
c) Dynamic Update Files
d) Interface drivers
e) GlobalProtect Client package
Networking
Configure and troubleshoot interface components.
PAN-OS software supports a variety of interface configuration options. The network interfaces
on a firewall fall into two general types; Traffic ports and the Management network port.
Traffic Ports
Traffic ports provide multiple configuration options with the ability to pass traffic through to
other ports via traffic handling objects (virtual routers, virtual wires, and VLANs). The Section
1.4 subsection Types of Interfaces provides descriptions and configuration information for
these interfaces.
Management Port
The Management port is isolated from internal connectivity for security purposes. If the
Management network port requires internet access, its traffic must be routed out of the
firewall and through other network infrastructure that provides this connectivity. The traffic
often is routed back to a traffic port on the firewall requiring appropriate Security policies for
access. This traffic is then treated like any other and must be allowed through by Security
policies.
This management traffic can be routed through alternate ports. A discussion appears here:
https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-a-Service-Route-for-
Services-to-Use-a-Dataplane/ta-p/59433
Troubleshooting Tools
There are several important tools for troubleshooting traffic flow through the firewall. A best
practice in troubleshooting is to separate general connectivity issues from those of security.
Connectivity issues should be resolved before security processing is evaluated.
The WebUI provides several important tools. The path Monitor > Logs > Traffic log provides
Session summary information. Log entries for traffic are generated as specified in Security
policies. The typical configuration specifies that log entries are created when a session ends.
Use the magnifying glass icon to examine this log entry for detail.
Log entry detail
Details found here include much information for troubleshooting: the Security action, the
firewall policy allowing it through, the assigned App-ID, zones, ingress and egress interfaces,
etc. NAT details and flags attesting to other handling details also appear. Examine this data to
get valuable insight into the firewalls processing of this traffic from both connectivity and
security processing views.
This data typically is written at session end but logging settings can specify that log entries be
created at session setup time. Although this practice drives more log volume, it can provide
critical data in certain situations. Turn on Log at Session Start temporarily during
troubleshooting to provide more information and gain insight.
Turning on entry creation at session setup time temporarily can aid in troubleshooting.
View open sessions using the Monitor > Session Browser display.
View open sessions within the Session Browser
The Clear checkbox at the end of a session summary line can be used to end the session
immediately, often generating the desired log entry.
The CLI show commands will assist with troubleshooting. The WebUI Traffic Capture and CLI
pcap and Debug functions give greater visibility to system-level operation for troubleshooting.
A complete discussion about packet captures appears here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/take-
packet-captures#62168
Connectivity issues often arise from unexpected traffic-forwarding decisions. Find the simplest
view into forwarding decisions by displaying the Layer 3 routing and forwarding tables in the
WebUI:
Display the specific virtual routers routing and forwarding tables with this link.
Policy-based forwarding (PBF) policies can override routing decisions and must be considered
when troubleshooting connectivity. The routing and forwarding tables mentioned do not show
the effects of existing PBF policies. PBF troubleshooting is best done on the CLI; show
commands can display existing PBF policies and whether they are active. The test pbf-
policy-match command will show the application of existing PBF policies on modeled
traffic.
IPv6 is enabled by default at the firewall level Device > Setup > Session.
The IPv6 configurations settings for a traffic interface
IPv6-related NAT policy type selection options
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/nat#36644
Virtual routers handle all Layer 3 forwarding decisions.
Static route creation in a virtual router
An example Dynamic Routing protocol configuration
The virtual routers routing and forwarding tables can be displayed.
A discussion of virtual routers and each of the supported dynamic routing protocols is here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking
Troubleshooting Routing
There is advanced troubleshooting of routing functions in the CLI. Output from the debug
routing command provides insight into router processing, including advanced debugging
logs and routing-specific packet captures.
There are multiple objects to configure to enable an IPSec tunnel.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/vpns
There are multiple objects to configure to enable GlobalProtect.
Every Palo Alto Networks firewall can provide GlobalProtect connectivity support to Windows
and Mac clients with no additional license requirement. Client software can be downloaded
directly from the Portal.
The GlobalProtect architectural components in a typical implementation.
Gateway traffic (SSL or IPSec encryption) can be terminated on a tunnel interface in a separate
zone, which allows for specific policies to be enabled for that zone and user(s).
IOS and Android devices can access GlobalProtect Client software at no cost in their application
stores. Connecting to the firewall, however, requires an extra-cost license.
With the appropriate license, HIP checks can be performed by GlobalProtect agent software on
the client platforms at connect time. This information is a security-oriented inventory of the
endpoint environment.
HIP Object components
Information from these reports can be extracted and made into logical true/false objects for
use in Security policies, providing appropriate access depending on endpoint configuration.
HIP profile objects bring remote endpoint configuration to Security policy decision making
Additional Information
Configuring the firewall for GlobalProtect is discussed here:
https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-
guide/set-up-the-globalprotect-infrastructure
https://www.paloaltonetworks.com/documentation/71/globalprotect/globalprotect-admin-
guide/use-host-information-in-policy-enforcement
does have powerful protections, none of them are turned on by default, which leaves a firewall
exposed to these attacks until protections are configured.
Zone Protection profiles provide multiple types of attack defenses.
Denial-of-service policies can provide more granular flood attack protections to internal
resources and operate at the same time as ZPPs. ZPPs operate on aggregate traffic totals at the
zone level to measure traffic and invoke protections. DoS policies can be targeted as specifically
as desired in the policy matching conditions. These policies invoke DoS Protection Security
profiles, which specify the defenses to implement.
Additional Information
A video tutorial about implementing ZPP can be found here:
https://live.paloaltonetworks.com/t5/Featured-Articles/Video-Tutorial-Zone-protection-
profiles/ta-p/70687
An exploration of DoS attacks and defending against them using Palo Alto Networks firewalls
can be found here:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-DoS-
Protection/ta-p/54562?attachment-id=1085
https://live.paloaltonetworks.com/t5/Learning-Articles/Zone-Protection-Recommendations/ta-
p/55850
A discussion of the differences between ZPP and DoS can be found here:
https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-DoS-Protection-
and-Zone-Protection/ta-p/57761
2. Palo Alto Networks firewalls implement which three types of traffic-handling objects to
forward traffic from one traffic port to another? (Choose three.)
a) Traffic forwarder
b) Virtual wires
c) VLANs
d) Virtual routers
e) Zones
f) Aggregate port groups
3. Which five routing protocols can be implemented on Palo Alto Networks firewalls?
(Choose five.)
a) EIGRP
b) BGP
c) OSPF v2
d) OSPF v3
e) RIPV2
f) RIPV1
g) Multicast
h) IGRP
i) IS-IS
7. The configuration of a DoS Protection profile can defend nodes from which attacks?
a) Floods
b) TCP port scans
c) IP address spoofing
d) ICMP large packets
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/getting-started/set-up-
a-basic-security-policy#79320
The completion of these steps provides only a basic setup that is not comprehensive enough to
protect your network. The next phase can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/best-practice-
internet-gateway-security-policy#60768
The previous review includes a review of Security profiles. This information is an important
aspect of protection detection and prevention for specific types of threats. See the following
document for more details:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/create-best-
practice-security-profiles#48239
Security policies are a top-down first match and exit. Up to two processing steps are in each
Security policy match. Step 1 confirms that a match has been made based on the matching
conditions provided in the Security policy. If a match is found in Step 1, the traffic is logged
(based on that policys configuration) and the chosen action (deny, allow, drop, reset) is
performed. Once processing is complete, there will be no further matching in the Security
policy list.
If Panorama device groups are used to push Security policy to one or more firewalls, the
Security policy list is expanded to include rules before (Pre) and after (Post) the local
firewall rules. Panorama rules are merged with local firewall policies in the position chosen
during Panorama rule creation.
Security policy should, in as many cases as possible, use App-ID for match criteria.
At the end of the list are two default policies: one for an Intrazone Allow and one for an
Interzone Deny. Taken together they implement the default security behavior of the firewall to
block interzone traffic and allow intrazone traffic. (The default logging is off for both.)
Security policies in PAN-OS software are set by type: Universal (default), Interzone, and
Intrazone. (All policies regardless of type are evaluated top-down, first match, then exit.)
The Universal type covers both Interzone and Intrazone.
Security policy rule type selects the type of traffic the policy applies to.
Throughput performance is not changed based on how quickly a match is made. Because
evaluation is top-down, first match, then exit, exceptions to policies must appear before the
general policy. Beyond this policy, order is based on administrative preference. Administrative
Tags, a Policy search bar, and a Global Find are used to quickly navigate to the policy or policies
needed for moves, adds, changes, deletes, clones, and troubleshooting.
Beginning with PAN-OS 7.0, additional actions now are available when a Security policy matches a session.
Configurable Security profiles
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/security-
profiles.html
The following diagram outlines the Content-ID engine that is responsible for Security profile
actions:
Content-ID engine
All scanning is done by signature matching on a streaming basis (not file basis). These
signatures are updated based on the configuration and licensing options. For example, with a
WildFire license, new virus and malware signatures can be installed as quickly as every 5
minutes. With no WildFire license but with a Threat license, signatures from WildFire would be
updated only every 24 hours.
Once content scanning is enabled, it does consume firewall resources. Consult a firewall
comparison chart to identify the model with appropriate Threat Enabled throughput.
The WildFire Cloud can scan your organizations files using an appropriately configured WildFire
Analysis profile. A profile includes match conditions describing file characteristics you want to
forward to WildFire for analysis. As files matching these conditions are transferred through
your firewall, a copy is sent to WildFire for analysis.
Note: Files are not quarantined pending WildFire evaluation. In cases of positive malware
findings, the security engineer must use information collected on the firewall and by WildFire to
locate the file internally for remediation.
WildFire profiles indicate which files are to be forwarded according to system-wide WildFire
configuration settings. In PAN-OS 7.1 WildFire typically renders a verdict on a file within 5 to
10 minutes of receipt.
WildFire is available to all firewall owners at no cost. An optional WildFire license provides an
increase of functionality, including direct communication of analysis findings to the firewall.
WildFire analysis results in a detailed report including all aspects of the original file and the
contained malware. This report is a valuable tool that describes the exact nature of the
detected threat. Discussion of the report can be found here:
https://www.paloaltonetworks.com/documentation/71/wildfire/wf_admin/monitor-wildfire-
activity/wildfire-analysis-reports-close-up#90140
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/policy/wildfire-
analysis-profiles#75179
https://www.paloaltonetworks.com/documentation/71/wildfire/wf_admin
https://www.paloaltonetworks.com/documentation/71/wildfire/wf_admin/wildfire-
overview/wildfire-subscription#25174
When WildFire profiles are evaluated by the firewall, there is a specific process flow that is
explained here:
https://www.paloaltonetworks.com/documentation/71/wildfire/wf_admin/wildfire-
overview/wildfire-cycle#67329
that is configured to block threat-prone categories such as malware, phishing, and adult. You
can use the default profile in a Security policy, clone it to be used as a starting point for new
URL Filtering profiles, or add a new URL Filtering profile that will have all categories set to allow
for visibility into the traffic on your network. You can then customize the newly added URL
profiles and add lists of specific websites that should always be blocked or allowed, which
provides more granular control over URL categories. For example, you may want to block social-
networking sites, but allow some websites that are part of the social-networking category.
URL filtering requires a URL filtering subscription that keeps URL data type information up to
date. This data provides descriptive data as to which type of information can be found at a
given URL. Profiles can implement various actions against categories that reflect the
organizations use policies and risk posture.
When URL Filtering profiles invoke an action, the user can be notified directly, reducing user
confusion as to the cause. These pages can be modified to meet an organizations particular
need:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/url-filtering/url-
filtering-response-pages
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/url-filtering
Two vendors update services are available for the firewall, of which only one can be active at a
given moment. Although they provide very similar support to URL Filtering profiles, they differ
in the way they work within the firewall. A brief discussion of the two can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/url-filtering/url-
filtering-vendors
Specific information about implementing URL Filtering profiles and their allowed actions can be
found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/url-filtering/configure-
url-filtering#74872
Palo Alto Networks firewall NAT policies consist of matching conditions describing the traffic to
NAT and an action describing the precise address substitution desired. The actions generally
address source and destination address changes separately but can be combined in the same
NAT policy.
NAT Policy action tab
A complete discussion of NAT functionality and its implementation on Palo Alto Networks
firewalls is contained here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/nat
four, or two times the size. For example, the default limit of 64K concurrent sessions allowed,
when multiplied by an oversubscription rate of eight, results in 512K concurrent sessions
allowed.
The oversubscription rates that are allowed vary based on the platform. The oversubscription
rate is global; it applies to the firewall. This oversubscription rate is set by default and consumes
memory, even if you have enough public IP addresses available to make oversubscription
unnecessary. You can reduce the rate from the default setting to a lower setting or to even 1
(which means no oversubscription). By configuring a reduced rate, you decrease the number of
source device translations possible, but increase the DIP and DIPP NAT rule capacities.
Details about this capability and its configuration can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/dynamic-
ip-and-port-nat-oversubscription#74104
NAT oversubscription configuration.
Security policies allowing traffic with NAT address changes must be created with these changes
borne in mind. The processing order of the Palo Alto Networks firewall includes Security policy
examination before NAT address changes are carried out. Thus Security policies for traffic with
NAT changes should be written with pre-NAT addresses. Security policies also include source
and destination zone matching conditions. The firewall processing of NATs will calculate
destination zones based on the final destination address resulting from a NAT. Therefore, its
Security policy must include the calculated destination zone, which often leads to
counterintuitive Security policies in which pre-NAT destination addresses appear alongside
post-NAT destination zones. See the following for an example.
Security policies allowing traffic through that has an applied destination NAT must reference the pre-NAT address and post-NAT
destination zone.
NAT examples reviewing this requirement and others can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/networking/nat-
configuration-examples#44308
Decryption
Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for visibility,
control, and granular security. Decryption on a Palo Alto Networks firewall includes the
capability to enforce Security policies on encrypted traffic, where otherwise the encrypted
traffic might not be blocked and shaped according to your configured security settings. Use
decryption on a firewall to prevent malicious content from entering your network or sensitive
content from leaving your network concealed as encrypted traffic. Enabling decryption on a
Palo Alto Networks firewall can include preparing the keys and certificates required for
decryption, creating a decryption policy, and configuring decryption port mirroring.
Traffic that has been encrypted using the protocols SSL and SSH can be decrypted to ensure
that these protocols are being used for the intended purposes only, and not to conceal
unwanted activity or malicious content.
Palo Alto Networks firewall decryption is policy-based, and can be used to decrypt, inspect, and
control both inbound and outbound SSL and SSH connections. Decryption policies allow you to
specify traffic for decryption according to destination, source, or URL category and in order to
block or restrict the specified traffic according to your security settings. The firewall uses
certificates and keys to decrypt the traffic specified by the policy to plaintext, and then enforces
App-ID and security settings on the plaintext traffic, including Decryption, Antivirus,
Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking profiles. After traffic is decrypted
and inspected on the firewall, the plaintext traffic is re-encrypted as it exits the firewall to
ensure privacy and security.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption
Central to this discussion is the role of digital certificates to secure SSL and SSH encrypted data.
Understanding this role and planning for proper certificate needs and deployment are
important considerations in decryption use. Concepts are discussed here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/keys-and-
certificates-for-decryption-policies#40372
The use of certificates is central to other important firewall functions in addition to decryption.
This need led to the implementation of extensive certificate management capabilities on the
firewall. Device > Certificate Management is the central certificate work and storage area. A
discussion of certificate use for all purposes in the firewall appears here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/certificate-
management/keys-and-certificates#61436
Decryption Policies
Decryption is controlled by Decryption policies. Palo Alto Networks firewalls will automatically
detect encrypted traffic and react by evaluating the Decryption policies. If a matching policy is
found, the firewall will attempt to decrypt the traffic according to the policys specified
decryption action. Normal packet processing resumes afterward.
A Decryption policy and its action under the Options tab
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption
Note that SSL Forward Proxy replaces the original certificate from the final destination with one
signed by a different key that is then delivered to the client.
A developer of a solution using SSL decryption can take extra programmatic steps to interrogate
the certificate received at the client for specific characteristics present in the original certificate.
When these characteristics arent found the author often assumes that a Decrypting process is
in the middle of the conversation and may take action to prevent full functionality considering
this presence of a security risk. These products typically are not fully functional in a decrypting
environment and must be added as exceptions to Decryption policies.
In recognition of this fact Palo Alto Networks includes a list of these applications in a Decryption
Bypass list embedded in PAN-OS software. This list and its effects are explained here:
https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-
from-SSL-Decryption/ta-p/62201
Decryption policies typically contain other exceptions representing other applications with this
behavior.
https://live.paloaltonetworks.com/t5/Learning-Articles/How-Palo-Alto-Networks-Identifies-
HTTPS-Applications-Without/ta-p/56284
Application Override policy
Unlike the App-ID engine, which inspects application packet contents for unique signature
elements, the Application Override policys matching conditions are limited to header-based
data only. Traffic matched by an Application Override policy is identified by the App-ID entered
in the Application entry box. Choices are limited to applications currently in the App-ID
database.
Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a Layer-4
firewall. As a result, this traffic should be trusted without the need for Content-ID inspection.
The resulting application assignment can be used in other firewall functions such as Security
policy and QoS.
Use Cases
There are three primary uses cases for Application Override policy: 1) to identify Unknown
App-IDs with a different or custom application signature, 2) to re-identify an existing application
signature, and/or 3) to bypass the Signature Match Engine (within the SP3 architecture) to
improve processing times.
A discussion of typical application override uses and specific implementation examples appears
here:
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-
Application-Override/ta-p/65513
The following illustrations document the creation of a new App-ID for a custom internal
application and its use in an Application Override policy that assigns it to appropriate traffic:
Traffic matching Application Override policies will be identitifed elsewhere by the included App-ID.
1. Which six of the following options can be matching conditions in a Security policy?
(Choose six.)
a) Packet length
b) Source port number
c) Destination port number
d) Destination username
e) OS version of a connected GlobalProtect client
f) Time of day
g) Zone
h) App-ID
2. Complete the following statement: When managed firewalls receive Security policies
from Panorama:
a) they replace locally defined policies
b) they are added above the local policies and ordered by ID number
c) they are added below local policies and ordered by ID number
d) they are merged with local policies depending on pre- or post-Panorama
designations
e) they can be modified by local firewall administrators
f) their position in the policy list can be changed by the local administrator
g) they can be deleted by local firewall administrators
3. Which five of the following are Security profiles representing Content-ID scanning?
(Choose five.)
a) Antivirus
b) Anti-Spyware
c) Zone Protection
d) URL Filtering
e) File Blocking
f) WildFire Analysis
g) Decryption
h) QoS
4. When an address in a packet is changed by a NAT, which address is used in the Security
policy allowing the traffic through?
a) Pre NAT
b) Post NAT
5. Which two types of encryptions can a Palo Alto Networks firewall decrypt through
decryption policies? (Choose two.)
a) SSL
b) Blowfish
c) AES
d) SSH
e) 3DES
6. Complete the following statement: The firewall will decrypt traffic when:
a) a Security policy includes decryption as an action
b) the traffic matches a Decryption policy
c) the traffic matches a Decryption profile
7. Complete the following statement (choose two): Application Override policies will:
a) prevent matching traffic from entering VPN tunnels
b) apply a specified App-ID label to matching traffic
c) prevent matching traffic from being logged
d) cause matching traffic to bypass Content-ID processing
e) route traffic to WildFire for scanning
8. Palo Alto Networks suggests best practice is to use which type of App-ID in Override
policies?
a) Custom signatures
b) App-IDs already available in the App-ID database
Log storage on Palo Alto Networks firewalls is strictly allocated between different log and other
storage types to ensure that no particular log is overrun by another. This allocation is user-
controlled.
Device > Setup > Management > Logging and Reporting Settings
Each storage area typically acts as circular logs in that, when filled, new entries will overwrite
old ones. Space is cleared in blocks and messages added to the System log.
Before you can use Panorama or external systems to monitor the firewall, you must configure
the firewall to forward its logs. Before forwarding to external services, the firewall
automatically converts the logs to the necessary format: syslog messages, SNMP traps, or email
notifications. Before you start this procedure, ensure that Panorama or the external server that
will receive the log data already is set up.
1. SNMP traps
2. Syslog
3. Email
4. Panorama
All types (other than Panorama) support customization of the message format. A typical
destination configuration follows:
Creating a Syslog log forwarding destination
An example of a customized email message
Any log event redirection causes a copy of the log event to be forwarded as specified. It is
logged on the firewall as usual.
There are two main methods to forward log events, depending on the log message type. Log
events destined for the System, Config, and HIP Match log are redirected using Device > Log
Settings to choose event destination(s) for specific event types.
Redirecting log events via Device > Log Settings
Events normally written to the Traffic, Threat, and WildFire Submission logs are routed via a Log
Forwarding profile.
A Log Forwarding profile specifying which log events are to be forwarded to which pre-defined destinations
Log Forwarding profiles are attached to individual firewall Security policies to enable forwarding
of the events associated with the processing of the specific policy. This granularity allows
administrators specific control of forwarding and the potential of different forwarding for
policies of differing importance.
Assigning a Log Forwarding profile to a Security policy.
All forwarded events are delivered as they are generated on the firewall.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/configure-
log-forwarding
A discussion of available log data and making it into information that can be acted on can be
found here:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/whitepapers/actionable-threat-intelligence
Log information generally is located in the Monitor tab of the WebUI. The reporting sections
align with the general use of these reports. The Log section presents detailed, real-time data
with the ability to recall previous data (subjected to available storage). It is divided into sections
segmenting log data into related information. PAN-OS 7.1 includes a new Unified log that
collects copies of events from the Traffic, Threat, URL Filtering, WildFire Submissions, and Data
Filtering logs into a single location for easy parsing of related data.
Each log provides similar features, making an organized presentation of desired data. Displayed
log data can be exported in CSV format at any time.
The CSV export option available on any detailed log display
This export will include all detail for the displayed record even if it isnt visible in the chosen
column displays.
Displayed columns can be chosen using the white pull-down list appearing in any column header.
Each log display offers a powerful filtering capability facilitating the display of specific desired
data.
Filters can be added using two methods to eliminate the display of undesired traffic.
Filters can be built and even stored for future use. Specific data on this functionality can be
found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/work-with-
logs#67438
While this log data is stored in detail in log storage a firewall summarizes new log entries every
15 minutes and adds the results to separate on-board reporting databases used as default
sources by ACC, App Scope, PDF Reports, and Custom Reports.
The scope of this summarization process can be controlled with settings on Device > Setup >
Management > Logging and Reporting Settings > Pre-Defined Reports.
Settings for the repeating report database summarization process
PDF Reports
The PDF Reports section offers many predefined PDF reports that can be run as a group on a
scheduled basis and delivered via email daily or weekly.
These reports typically run once per day and summarize all activity on the firewall. A report
browser of pre-defined reports appears on the right. When these reports are chosen, they
display their results for the previous days traffic.
Pre-defined Report Browser showing choices of categories and specific reports on the right
The PDF Report section offers other important reporting tools. Custom reports can be created,
stored, and run on-demand and/or on a scheduled basis. More information can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/generate-
custom-reports#35712
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/generate-
user-group-activity-reports#91388
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/manage-
pdf-summary-reports#24063
App Scope reports focus on base-line performance comparisons of firewall usage. These reports
provide power tools to characterize changes in detected usage patterns. They were designed
for ad-hoc queries more than scheduled report output. Detailed information can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/app-
scope#22456
Other reports and displays on the firewall often support click-through of data items to uncover
more detail. This practice often results in a switch to the ACC with preset filters to focus only on
the previously displayed data. Detailed usage data can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/use-the-
application-command-center#73861
patterns, and when a match occurs it generates a correlated event. Detailed information can be
found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/use-the-
automated-correlation-engine#38973
Configuring a packet capture response to the detection of spyware
Information about configuring them and accessing the captured data can be found here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/take-a-
threat-packet-capture
Data Filtering Security profiles can take captures of configured patterns. Because this data
might be highly valuable, special password protections are provided for these stored captures.
Details can be found here:
https://live.paloaltonetworks.com/t5/Management-Articles/Enable-data-capture-for-data-
filtering-and-manage-data/ta-p/65934
The PAN-OS WebUI provides access to traffic packet captures. Additional pcap and debug tools are available through
the CLI.
Complete information about the configuration and use of this feature appears here:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/take-a-
custom-packet-capture#17879
Note: Some Palo Alto Networks firewalls include a Hardware Offload feature that optimizes the
handling of traffic. Offloaded traffic will not appear in packet captures in either the WebUI or
the CLI. PA-2000 Series, PA-3050, PA-3060, PA-4000 Series, PA-5000 Series, and PA-7000 Series
firewalls all have this feature. In order to guarantee that all packets are available for capture, a
CLI must be run to temporarily disable Hardware Offload. See the following information for
details and disclosures about CPU impact.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/monitoring/disable-
hardware-offload#85899
Note: WebUI packet captures cannot be used for traffic crossing the management interface.
Packet captures also can be performed on the CLI. Generalized dataplane packet captures can
record traffic passing through dataplane processes. Use the debug dataplane command
with other related settings. Several specific processes on the firewall support specific traffic
captures. Details about using CLI traffic captures can be found here:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Packet-Based-Troubleshooting-
Configuring-Packet-Captures-and/ta-p/54947?attachment-id=2589
Note: Management interface traffic cannot be captured by the previously mentioned CLI tools.
The CLI tcpdump command is the only tool with visibility to this traffic.
1. Choose the four destination types the firewall can forward log events to. (Choose four.)
a) Email
b) OWASP
c) Encrypted syslog
d) Panorama
e) SNMP traps
f) CEF
2. Complete the following statement (choose three): Traffic log entries can be written
when:
a) sessions are closed
b) sessions are opened
c) specified clock intervals are reached during a sessions life
d) traffic processing is transitioned from slowpath to fastpath
e) traffic meets specific matching conditions
3. Complete the following statement (choose three): Packet captures can be performed
by:
a) Security profiles
b) manual configuration by an administrator in the WebUI
c) manual configuration on the CLI
d) specified trigger events from the WebUI
Further Resources
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is
not intended to guarantee that a passing score will be achieved on the exam. Palo Alto
Networks recommends that a candidate thoroughly understand the objectives indicated in this
guide and use the resources and courses recommended in this guide where needed to gain that
understanding.
Answer: b, c, and d
2. Which three options are next-generation features of Palo Alto Networks firewalls?
(Choose three.)
a) Cluster-ID
b) App-ID
c) Content-ID
d) Flow-ID
e) User-ID
Answer: b, c, and e
3. Which two Palo Alto Networks firewall models support active/active High Availability?
(Choose two.)
a) PA-200
b) VM-300
c) PA-7050
d) PA-3020
e) VM-200
Answer: c and d
Section 2 Answers
1. Which four of the following options are true regarding application identification?
(Choose four.)
a) Security policy is analyzed for a new match when an application shift occurs.
b) Viruses can be detected during an SSL session only if decryption is implemented.
c) Custom application definition must be created on external devices and imported to
the firewall.
d) Behavioral patterns can detect an application if decoders and signatures cannot.
e) Applications can be allowed or blocked on certain ports or all ports.
Answer: a, b, d, and e
2. What are three advantages of the Palo Alto Networks Next-Generation Firewall?
(Choose three.)
a) Application-based rather than port-based traffic recognition for better rules and
granularity
b) Ports can now be safely ignored because they are no longer a factor
c) Uses a stream-based, single-pass parallel processing engine for fast performance
d) Application signatures are distributed regularly from Palo Alto Networks, although
custom signatures cannot be created
e) Provides full Unified Threat Management on a single platform with one policy and
log database
Answer: a, c, and e
3. When destination NAT rules are configured, the associated security rule is matched
using which two options? (Choose two.)
a) Pre-NAT source zone and post-NAT destination zone
b) Post-NAT source zone and pre-NAT destination zone
c) Pre-NAT source zone and pre-NAT destination IP address
d) Pre-NAT source zone and post-NAT destination IP address
e) Post-NAT source zone and post-NAT destination zone
Answer: a and c
4. Which two options are true regarding policy evaluation? (Choose two.)
a) All rules are searched and the most specific rule will match.
b) Policies are evaluated from the top down, and the first match processes the traffic.
c) Interzone traffic is allowed by default.
d) Intrazone traffic is allowed by default.
e) Outbound traffic is allowed by default, inbound traffic only is evaluated.
Answer: b and d
5. Which three options are not true about Security profiles? (Choose three.)
a) Security profiles are evaluated from top down, with the first match processing the
traffic.
b) Security profiles are applied to all inbound traffic when they are enabled.
c) Security profiles enable a specific type of scanning (e.g., Virus, Spyware).
d) Security profiles can specify actions based on the username.
Answer: a, b, and d
Answer: a
7. Which three technologies can User-ID monitor for user authentication? (Choose three.)
a) Proxy Servers
b) Domain Controllers
c) Microsoft Office 365 Cloud Deployments
d) Wireless Access Controllers
e) Electronic Badge Readers
Answer: a, b, and d
Answer: c
Answer: a
10. Which of the following options cannot be specified when configuring QoS?
a) application
b) service
c) source user
d) destination zone
e) source interface
Answer: e
11. Based on the QoS rules shown in the following image, which class will be assigned for
youtube traffic when the source IP address is 192.168.3.3 and the user is known?
a) class 4
b) class 6
c) class 7
d) class 8
e) class 5
Answer: b
12. The firewall will skip the upload to WildFire in which three cases? (Choose three.)
a) The file has been signed by a trusted signer.
b) The file is being uploaded rather than downloaded.
c) The file is an attachment in an email.
d) The file hash matched a previous submission.
e) The file is larger than 10MB.
Answer: a, d, and e
13. The fastest recurrence interval for WildFire update checks is:
a) 1 minute
b) 10 minutes
c) 15 minutes
d) 30 minutes
e) 60 minutes
Answer: a
Section 3 Answers
1. Which two firewall ports can you connect to for initial firewall configuration tasks?
(Choose two.)
a) Traffic Port #1
b) Management Port
c) Console Port
d) Maintenance Port
Answer: b and c
Answer: c
3. Which of the following firewall configuration settings can Panorama manage? Choose all
that apply.
a) Traffic interface settings
b) High Availability settings
c) Administrative account settings
e) Enable multivirtual system capability
Answer: a, b, and c
4. Which three software components should be reviewed for the desired version during a
firewall installation? (Choose three.)
a) PAN-OS software
b) Firewall ROM/Firmware
c) Dynamic Update Files
d) Interface drivers
e) GlobalProtect Client package
Answer: a, c, and e
Answer: a and c
Answer: a, c, d, and f
Section 4 Answers
1. The Management network port on a firewall can be configured as which type of
interface?
a) Layer 2
b) Layer 3
c) Virtual wire
d) Serial
Answer: b
2. Palo Alto Networks firewalls implement which three types of traffic-handling objects to
forward traffic from one traffic port to another? (Choose three.)
a) Traffic forwarder
b) Virtual wires
c) VLANs
d) Virtual routers
e) Zones
f) Aggregate port groups
Answer: b, c, and d
3. Which five routing protocols can be implemented on Palo Alto Networks firewalls?
(Choose five.)
a) EIGRP
b) BGP
c) OSPF V2
d) OSPF V3
e) RIPV2
f) RIPV1
g) Multicast
h) IGRP
i) IS-IS
Answer: b, c, d, e, and g
Answer: a, e, f, and h
Answer: b and d
Answer: a and b
7. The configuration of a DoS Protection profile can defend nodes from which attacks?
a) Floods
b) TCP port scans
c) IP address spoofing
d) ICMP large packets
Answer: a
Section 5 Answers
1. Which six of the following options can be matching conditions in a Security policy?
(Choose six.)
a) Packet length
b) Source port number
c) Destination port number
d) Destination username
e) OS version of a connected GlobalProtect client
f) Time of day
g) Zone
h) App-ID
Answer: b, c, e, f, g, and h
2. Complete the following statement: When managed firewalls receive Security policies
from Panorama:
a) they replace locally defined policies
b) they are added above the local policies and ordered by ID number
c) they are added below local policies and ordered by ID number
d) they are merged with local policies depending on pre- or post-Panorama
designations
e) they can be modified by local firewall administrators
f) their position in the policy list can be changed by the local administrator
g) they can be deleted by local firewall administrators
Answer: d
3. Which five of the following are Security profiles representing Content-ID scanning?
(Choose five.)
a) Antivirus
b) Anti-Spyware
c) Zone Protection
d) URL Filtering
e) File Blocking
f) WildFire Analysis
g) Decryption
h) QoS
Answer: a, b, d, e, and f
4. When an address in a packet is changed by a NAT, which address is used in the Security
policy allowing the traffic through?
a) Pre NAT
b) Post NAT
Answer: a
5. Which two types of encryptions can a Palo Alto Networks firewall decrypt through
decryption policies? (Choose two.)
a) SSL
b) Blowfish
c) AES
d) SSH
e) 3DES
Answer: a and d
6. Complete the following statement: The firewall will decrypt traffic when:
a) a Security policy includes decryption as an action
b) the traffic matches a Decryption policy
c) the traffic matches a Decryption profile
Answer: b
7. Complete the following statement (choose two): Application Override policies will:
a) prevent matching traffic from entering VPN tunnels
b) apply a specified App-ID label to matching traffic
c) prevent matching traffic from being logged
d) cause matching traffic to bypass Content-ID processing
e) route traffic to WildFire for scanning
Answer: b and d
8. Palo Alto Networks suggests best practice is to use which type of App-ID in Override
policies?
a) Custom signatures
b) App-IDs already available in the App-ID database
Answer: a
Section 6 Answers
1. Choose the four destination types the firewall can forward log events to. (Choose four.)
a) Email
b) OWASP
c) Encrypted syslog
d) Panorama
e) SNMP traps
f) CEF
Answer: a, c, d, and e
2. Complete the following statement (choose three): Traffic log entries can be written
when:
a) sessions are closed
b) sessions are opened
c) specified clock intervals are reached during a sessions life
d) traffic processing is transitioned from slowpath to fastpath
e) traffic meets specific matching conditions
Answer: a, b, and e
3. Complete the following statement (choose three): Packet captures can be performed
by:
a) Security profiles
b) manual configuration by an administrator in the WebUI
c) manual configuration on the CLI
d) specified trigger events from the WebUI
Answer: a, b, and c
Appendix B: Glossary
Advanced Encryption Standard (AES): A symmetric block cipher based on the Rijndael cipher.
application programming interface (API): A set of routines, protocols, and tools for building
software applications and integrations.
boot sector: Contains machine code that is loaded into an endpoints memory by firmware
during the startup process, before the operating system is loaded.
boot sector virus: Targets the boot sector or master boot record (MBR) of an endpoints
storage drive or other removable storage media. See also boot sector and master boot record
(MBR).
bot: Individual endpoints that are infected with advanced malware that enables an attacker to
take control of the compromised endpoint. Also known as a zombie. See also botnet.
botnet: A network of bots (often tens of thousands or more) working together under the
control of attackers using numerous command and control (CnC) servers. See also bot.
bring your own apps (BYOA): Closely related to BYOD, BYOA is a policy trend in which
organizations permit end users to download, install, and use their own personal apps on mobile
devices, primarily smartphones and tablets, for work-related purposes. See also bring your own
device (BYOD).
bring your own device (BYOD): A policy trend in which organizations permit end users to use
their own personal devices, primarily smartphones and tablets, for work-related purposes.
BYOD relieves organizations from the cost of providing equipment to employees, but creates a
management challenge due to the vast number and type of devices that must be supported.
See also bring your own apps (BYOA).
bulk electric system (BES): The large interconnected electrical system, consisting of generation
and transmission facilities (among others), that comprises the power grid.
child process: In multitasking operating systems, a sub-process created by a parent process that
is currently running on the system.
consumerization: A computing trend that describes the process that occurs as end users
increasingly find personal technology and apps that are more powerful or capable, more
convenient, less expensive, quicker to install, and easier to use, than enterprise IT solutions.
covered entity: Defined by HIPAA as a healthcare provider that electronically transmits PHI
(such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies),
a health plan (such as a health insurance company, health maintenance organization, company
health plan, or government program including Medicare, Medicaid, military and veterans
healthcare), or a healthcare clearinghouse. See also Health Insurance Portability and
Accountability Act (HIPAA) and protected health information (PHI).
Critical Infrastructure Protection (CIP): Cybersecurity standards defined by NERC to protect the
physical and cyber assets necessary to operate the bulk electric system (BES). See also bulk
electric system (BES) and North American Electric Reliability Corporation (NERC).
data encapsulation: A process in which protocol information from the OSI layer immediately
above is wrapped in the data section of the OSI layer immediately below. See also open systems
interconnection (OSI) reference model.
electronic health record (EHR): As defined by HealthIT.gov, an EHR goes beyond the data
collected in the providers office and include[s] a more comprehensive patient history. EHR data
can be created, managed, and consulted by authorized providers and staff from across more
than one healthcare organization.
electronic medical record (EMR): As defined by HealthIT.gov, an EMR contains the standard
medical and clinical data gathered in one providers office.
endpoint: A computing device such as a desktop or laptop computer, handheld scanner, point-
of-sale (POS) terminal, printer, satellite radio, security or videoconferencing camera, self-
service kiosk, server, smart meter, smart TV, smartphone, tablet, or Voice over Internet
Protocol (VoIP) phone. Although endpoints can include servers and network equipment, the
term is generally used to describe end user devices.
Enterprise 2.0: A term introduced by Andrew McAfee and defined as the use of emergent
social software platforms within companies, or between companies and their partners or
customers. See also Web 2.0.
exclusive or (XOR): A Boolean operator in which the output is true only when the inputs are
different (for example, TRUE and TRUE equals FALSE, but TRUE and FALSE equals TRUE).
exploit: A small piece of software code, part of a malformed data file, or a sequence (string) of
commands, that leverages a vulnerability in a system or software, causing unintended or
unanticipated behavior in the system or software.
extensible markup language (XML): A programming language specification that defines a set of
rules for encoding documents in a human- and machine-readable format.
favicon (favorite icon): A small file containing one or more small icons associated with a
particular website or webpage.
Federal Information Security Management Act (FISMA): See Federal Information Security
Modernization Act (FISMA).
Federal Information Security Modernization Act (FISMA): A U.S. law that implements a
comprehensive framework to protect information systems used in U.S. federal government
agencies. Known as the Federal Information Security Management Act prior to 2014.
floppy disk: A removable magnetic storage medium commonly used from the mid-1970s until
approximately 2007, when they were largely replaced by removable USB storage devices.
generic routing encapsulation (GRE): A tunneling protocol developed by Cisco Systems that
can encapsulate various network layer protocols inside virtual point-to-point links.
Gramm-Leach-Bliley Act (GLBA): A U.S. law that requires financial institutions to implement
privacy and information security policies to safeguard the non-public personal information of
clients and consumers. Also known as the Financial Services Modernization Act of 1999.
hacker: Originally used to refer to anyone with highly specialized computing skills, without
connoting good or bad purposes. However, common misuse of the term has redefined a hacker
as someone that circumvents computer security with malicious intent, such as a cybercriminal,
cyberterrorist, or hacktivist.
Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that defines data
privacy and security requirements to protect individuals medical records and other personal
health information. See also covered entity and protected health information (PHI).
heap spraying: A technique used to facilitate arbitrary code execution by injecting a certain
sequence of bytes into the memory of a target process.
indicator of compromise (IOC): A network or operating system (OS) artifact that provides a high
level of confidence that a computer security incident has occurred.
initialization vector (IV): A random number used only once in a session, in conjunction with an
encryption key, to protect data confidentiality. Also known as a nonce.
jailbreaking: Hacking an Apple iOS device to gain root-level access to the device. This is
sometimes done by end users to allow them to download and install mobile apps without
paying for them, from sources, other than the App Store, that are not sanctioned and/or
controlled by Apple. Jailbreaking bypasses the security features of the device by replacing the
firmwares operating system with a similar, albeit counterfeit version, which makes it
vulnerable to malware and exploits. See also rooting.
least privilege: A network security principle in which only the permission or access rights
necessary to perform an authorized task are granted.
malware: Malicious software or code that typically damages, takes control of, or collects
information from an infected endpoint. Malware broadly includes viruses, worms, Trojan
horses (including Remote Access Trojans, or RATs), anti-AV, logic bombs, backdoors, rootkits,
bootkits, spyware, and (to a lesser extent) adware.
master boot record (MBR): Contains information on how the logical partitions (or file systems)
are organized on the storage media, and an executable boot loader that starts up the installed
operating system.
metamorphism: A programming technique used to alter malware code with every iteration, to
avoid detection by signature-based anti-malware software. Although the malware payload
changes with each iteration for example, by using a different code structure or sequence, or
inserting garbage code to change the file size the fundamental behavior of the malware
payload remains unchanged. Metamorphism uses more advanced techniques than
polymorphism. See also polymorphism.
mutex: A program object that allows multiple program threads to share the same resource,
such as file access, but not simultaneously.
Network and Information Security (NIS) Directive: A European Union (EU) directive that
imposes network and information security requirements to be enacted by national laws
across the EU within two years of adoption in 2016 for banks, energy companies, healthcare
providers and digital service providers, among others.
one-way (hash) function: A mathematical function that creates a unique representation (a hash
value) of a larger set of data in a manner that is easy to compute in one direction (input to
output), but not in the reverse direction (output to input). The hash function cant recover the
original text from the hash value. However, an attacker could attempt to guess what the
original text was and see if it produces a matching hash value.
open systems interconnection (OSI) reference model: Defines standard protocols for
communication and interoperability using a layered approach in which data is passed from the
highest layer (application) downward through each layer to the lowest layer (physical), then
transmitted across the network to its destination, then passed upward from the lowest layer to
the highest layer. See also data encapsulation.
packer: A software tool that can be used to obfuscate code by compressing a malware program
for delivery, then decompressing it in memory at runtime. See also obfuscation.
packet capture (PCAP): A traffic intercept of data packets that can be used for analysis.
Payment Card Industry Data Security Standards (PCI DSS): A proprietary information security
standard mandated and administered by the PCI Security Standards Council (SSC), and
applicable to any organization that transmits, processes, or stores payment card (such as debit
and credit cards) information. See also PCI Security Standards Council (SSC).
PCI: See Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS: See Payment Card Industry Data Security Standards (PCI DSS).
PCI Security Standards Council (SSC): Comprised of Visa, MasterCard, American Express,
Discover, and JCB, the SSC maintains, evolves, and promotes PCI DSS. See also Payment Card
Industry Data Security Standards (PCI DSS).
Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian privacy
law that defines individual rights with respect to the privacy of their personal information, and
governs how private sector organizations collect, use, and disclose personal information in the
course of business.
Personally Identifiable Information (PII): Defined by the U.S. National Institute of Standards
and Technology (NIST) as any information about an individual maintained by an agency,
including (1) any information that can be used to distinguish or trace an individuals identity
and (2) any other information that is linked or linkable to an individual.
PIPEDA: See Personal Information Protection and Electronic Documents Act (PIPEDA).
point-to-point protocol (PPP): A Layer 2 (data link) protocol layer used to establish a direct
connection between two nodes.
polymorphism: A programming technique used to alter a part of malware code with every
iteration, to avoid detection by signature-based anti-malware software. For example, an
encryption key or decryption routine may change with every iteration, but the malware payload
remains unchanged. See also metamorphism.
pre-shared key (PSK): A shared secret, used in symmetric key cryptography, which has been
exchanged between two parties communicating over an encrypted channel.
public key infrastructure (PKI): A set of roles, policies, and procedures needed to create,
manage, distribute, use, store, and revoke digital certificates and to manage public key
encryption.
rainbow table: A pre-computed table used to find the original value of a cryptographic hash
function.
Remote Authentication Dial-In User Service (RADIUS): A client/server protocol and software
that enables remote access servers to communicate with a central server to authenticate users
and authorize access to a system or service.
remote procedure call (RPC): An inter-process communication (IPC) protocol that enables an
application to be run on a different computer or network, rather than the local computer on
which it is installed.
representational state transfer (REST): An architectural programming style that typically runs
over HTTP, and is commonly used for mobile apps, social networking websites, and mashup
tools.
salt: Randomly generated data that is used as an additional input to a one-way has function
that hashes a password or passphrase. The same original text hashed with different salts results
in different hash values.
Sarbanes-Oxley (SOX) Act: A U.S. law that increases financial governance and accountability in
publicly traded companies.
script kiddie: Someone with limited hacking and/or programming skills that uses malicious
programs (malware) written by others to attack a computer or network.
Secure Sockets Layer (SSL): A cryptographic protocol for managing authentication and
encrypted communication between a client and server to protect the confidentiality and
integrity of data exchanged in the session.
service set identifier (SSID): A case sensitive, 32-character alphanumeric identifier that
uniquely identifies a Wi-Fi network.
software as a service (SaaS): A cloud computing service model, defined by the U.S. National
Institute of Standards and Technology (NIST), in which the capability provided to the consumer
is to use the providers applications running on a cloud infrastructure. The applications are
accessible from various client devices through either a thin client interface, such as a web
browser, or a program interface. The consumer does not manage or control the underlying
cloud infrastructure including network, servers, operating systems, storage, or even individual
spear phishing: A highly targeted phishing attack that uses specific information about the target
to make the phishing attempt appear legitimate.
structured threat information expression (STIX): An XML format for conveying data about
cybersecurity threats in a standardized format. See also extensible markup language (XML).
Tor (The Onion Router): Software that enables anonymous communication over the internet.
Transport Layer Security (TLS): The successor to SSL (although it is still commonly referred to as
SSL). See also Secure Sockets Layer (SSL).
uniform resource locator (URL): A unique reference (or address) to an internet resource, such
as a webpage.
vulnerability: A bug or flaw that exists in a system or software, and creates a security risk.
Web 2.0: A term popularized by Tim OReilly and Dale Dougherty, unofficially referring to a new
era of the World Wide Web, which is characterized by dynamic or user-generated content,
interaction, and collaboration, and the growth of social media. See also Enterprise 2.0.
zero-day threat: The window of vulnerability that exists from the time a new (unknown) threat
is released until security vendors release a signature file or security patch for the threat.
E-Learning
For those of you who want to keep up-to-date on our technology, a learning library of FREE e-
Learning is available. These on-demand, self-paced e-Learning classes are a great way of
reinforcing the key information for those who have been to the formal hands-on classes. They
also serve as a great overview and introduction to working with our technology for those
unable to travel to a hands-on, instructor-led class.
Simply register in our Learning Center and you will be given access to our e-Learning portfolio.
These online classes cover foundational material and contain narrated slides, knowledge
checks, and, where applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training:
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Centers (ATCs) are located globally and offer a breadth
of solutions from onsite training to public, open environment classes. There are 53 authorized
training centers located at more than 80 locations worldwide. For class schedule, location, and
training offerings see https://www.paloaltonetworks.com/services/education/atc-locations.